package com.xjc.market.frame.filter;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.beans.factory.annotation.Autowired;

public class AntiSqlInjectionfilter implements HandlerInterceptor {
	private Logger log = Logger.getLogger(AntiSqlInjectionfilter.class);

	@Override
	public void afterCompletion(HttpServletRequest arg0,
			HttpServletResponse arg1, Object arg2, Exception arg3)
			throws Exception {
	}

	@Override
	public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
			Object arg2, ModelAndView arg3) throws Exception {
	}

	@Override
	public boolean preHandle(HttpServletRequest request,
			HttpServletResponse response, Object arg2) throws Exception {
		//begin modify dengxq 同一时段只能有一个用户登录  2016-10-24
		String path = request.getContextPath();
		String basePath = request.getScheme() + "://" + request.getServerName()
				+ ":" + request.getServerPort() + path + "/";
		// Begin liangcz 2017-03-31 注释掉这行代码
		//CustLoginServiceReponseDTO users = PageFrom.getSessionUser(request);// 获取登录信息
		// End liangcz 2017-03-31
//		if(users!=null)
//		{
//			try {
//				
//				String sessionID  =jedisCache.get(users.getCodCustCode()==null?"abc":users.getCodCustCode())==null?null:(String)jedisCache.get(users.getCodCustCode());				
//				if(sessionID!=null&&!sessionID.equals(request.getSession().getId()))
//				{
//					request.getSession().invalidate();			
//					String logurl = basePath + "login.do?logout=0";
//					response.sendRedirect(logurl);
//					return false;
//				}
//			} catch (Throwable e) {
//				e.printStackTrace();
//			}
//			
//		}	
		//end modify dengxq 同一时段只能有一个用户登录  2016-10-24
		Enumeration<String> names = request.getParameterNames();
		while (names.hasMoreElements()) {
			String name = names.nextElement();
			String[] values = request.getParameterValues(name);
			// service跳转url,certReqBuf证书,certSignBuf证书，证书csrSignedData
			if (!"service".equals(name)) {
				for (int i = 0; i < values.length; i++) {
					if (sqlValidate(values[i])) {
						log.info("请不要尝试注入:'" + name + "'=" + values[i]);
						System.out.println(request.getContentType());
						
						 response.setContentType("text/html;charset=utf-8");
						response.getWriter()
								.print("请不要尝试注入<br><a href='#' onclick='history.go(-1)'>返回</a>");
						return false;

					}
				}
			}
		}
		return true;
	}

	// 效验
	protected static boolean sqlValidate(String str) {
		str = str.toLowerCase();// 统一转为小写
		// 过滤掉的sql关键字，可以手动添加
		/*String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|"
				+ "char|declare|sitename|net user|xp_cmdshell|;|'or|+|like'|and|exec|execute|insert|create|drop|"
				+ "table|from|grant|use|group_concat|column_name|"
				+ "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|"
				+ "chr|mid|master|truncate|char|declare|or|;|--|+|like|//|/|%|#";*/
		
		String badStr = "*|+|--|+|//|/|%|\\|`|'";
		String[] badStrs = badStr.split("\\|");
		for (int i = 0; i < badStrs.length; i++) {
			if (str.indexOf(badStrs[i]) >= 0) {
				return true;
			}
		}
		return false;
	}
}